Browsers Gone Bad

12:35 PM -- The press covered it, the user community rejoiced, but what does it actually mean that the author of the first cross-site scripting (XSS) virus was prosecuted? The first ever XSS worm was called Samy after Samy Kamkar, who wrote the worm to test how popular he could be on MySpace by getting users to automatically add him to their friends list.

After infecting a million users with his worm (the largest infection in history) the exploit was finally halted by the administrators. Samy got barely a slap on the wrist by getting three years of probation and a few months of community service.

Still, it was the first XSS exploit that resulted in the arrest of the author. This case was pretty open and shut. Not only was the worm named after Samy, it was designed to get people to add him as their friend. He even went as far as to post on his Website a long explanation of how the worm worked. So we can be very certain that he was in fact the person responsible. However, the way XSS works, it can use other users' browsers against themselves.

That's right, Samy could have been framed. Not that he was framed in this case, but let's assume for a second that some random person on the Internet went to a malicious Website. Their browser could be sent through a cross-site request forgery to post an XSS vulnerability into the target Website. The target Website now contains a persistent exploit that was posted there by someone who may have never even heard of XSS, let alone wrote it. But because their account was the first Website to have the exploit posted to it, they would appear to be the originator of the worm.

Because the browser only keeps the cache of the sites they have visited for a certain amount of time (and caching can be removed using some header manipulation), it is highly possible that there would be no way to prove they weren't the author of the virus. If the original infection of the worm were more targeted to use the author's name, or otherwise appear to come from that user, it's possible that it would stand up in court. The worst part is that turning off JavaScript doesn't necessarily protect the user, if the server in question allows GET requests to post persistent exploits.

XSS brings a unique depth to exploitation. XSS and cross-site request forgeries allow the attacker to turn people's computers against them, as if the browser were a modern day proxy server.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading